Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 31

Often thought of as “keeping secrets,” confidentiality is actually about sharing secrets. Confidentiality is both a legal and ethical concept about privileged communications or privileged information. Privileged information is information you have, own, or create, and that you share with someone else with the agreement that they cannot share that knowledge with anyone else without your consent or without due process in law. You place your trust and confidence in that other person's adherence to that agreement. Relationships between professionals and their clients, such as the doctor-patient or attorney-client ones, are prime examples of this privilege in action. In rare exceptions, courts cannot compel parties in a privileged relationship to violate that privilege and disclose what was shared in confidence.

Confidentiality refers to how much we can trust that the information we're about to use to make a decision with has not been seen by unauthorized people. The term unauthorized people generally refers to any person or any group of people who could learn something from our confidential information and then use that new knowledge in ways that would thwart our plans to attain our objectives or cause us other harm.

Confidentiality needs dictate who can read specific information or files or who can download or copy them; this is significantly different from who can modify, create, or delete those files.

One way to think about this is that integrity violations change what we think we know; confidentiality violations tell others what we think is our private knowledge.

Business has many categories of information and ideas that it needs to treat as confidential, such as the following:

 Proprietary, or company-owned information, whether or not protected by patent, copyright, or trade secret laws

 Proprietary or confidential information belonging to others but shared with the company under the terms of a nondisclosure agreement (NDA)

 Company private data, which can include business plans, budgets, risk assessments, and even organizational directories and alignments of people to responsibilities

 Data required by law or regulation to be kept private or confidential

 Privacy-related information pertaining to individual employees, customers, prospective customers or employees, or members of the public who contact the firm for any reason

 Customer transaction and business history data, including the company's credit ratings and terms for a given customer

 Customer complaints, service requests, or suggestions for product or service improvements

In many respects, such business confidential information either represents the results of investments the organization has already made or provides insight that informs decisions they're about to make; either way, all of this and more represent competitive advantage to the company. Letting this information be disclosed to unauthorized persons, inside or outside of the right circles within the company, threatens to reduce the value of those investments and the future return on those investments. It could, in the extreme, put the company out of business!

Let's look a bit closer at how to defend such information.